4 samr interface definition
6 import "misc.idl", "lsa.idl", "security.idl";
9 Thanks to Todd Sabin for some information from his samr.idl in acltools
12 [ uuid("12345778-1234-abcd-ef00-0123456789ac"),
14 endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
15 pointer_default(unique)
18 typedef bitmap security_secinfo security_secinfo;
20 /* account control (acct_flags) bits */
21 typedef [public,bitmap32bit] bitmap {
22 ACB_DISABLED = 0x00000001, /* 1 = User account disabled */
23 ACB_HOMDIRREQ = 0x00000002, /* 1 = Home directory required */
24 ACB_PWNOTREQ = 0x00000004, /* 1 = User password not required */
25 ACB_TEMPDUP = 0x00000008, /* 1 = Temporary duplicate account */
26 ACB_NORMAL = 0x00000010, /* 1 = Normal user account */
27 ACB_MNS = 0x00000020, /* 1 = MNS logon user account */
28 ACB_DOMTRUST = 0x00000040, /* 1 = Interdomain trust account */
29 ACB_WSTRUST = 0x00000080, /* 1 = Workstation trust account */
30 ACB_SVRTRUST = 0x00000100, /* 1 = Server trust account */
31 ACB_PWNOEXP = 0x00000200, /* 1 = User password does not expire */
32 ACB_AUTOLOCK = 0x00000400, /* 1 = Account auto locked */
33 ACB_ENC_TXT_PWD_ALLOWED = 0x00000800, /* 1 = Encryped text password is allowed */
34 ACB_SMARTCARD_REQUIRED = 0x00001000, /* 1 = Smart Card required */
35 ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
36 ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */
37 ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */
38 ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */
39 ACB_PW_EXPIRED = 0x00020000, /* 1 = Password Expired */
40 ACB_NO_AUTH_DATA_REQD = 0x00080000 /* 1 = No authorization data required */
43 /* SAM server specific access rights */
45 typedef [bitmap32bit] bitmap {
46 SAMR_ACCESS_CONNECT_TO_SERVER = 0x00000001,
47 SAMR_ACCESS_SHUTDOWN_SERVER = 0x00000002,
48 SAMR_ACCESS_INITIALIZE_SERVER = 0x00000004,
49 SAMR_ACCESS_CREATE_DOMAIN = 0x00000008,
50 SAMR_ACCESS_ENUM_DOMAINS = 0x00000010,
51 SAMR_ACCESS_OPEN_DOMAIN = 0x00000020
52 } samr_ConnectAccessMask;
54 const int SAMR_ACCESS_ALL_ACCESS = 0x0000003F;
56 const int GENERIC_RIGHTS_SAM_ALL_ACCESS =
57 (STANDARD_RIGHTS_REQUIRED_ACCESS |
58 SAMR_ACCESS_ALL_ACCESS);
60 const int GENERIC_RIGHTS_SAM_READ =
61 (STANDARD_RIGHTS_READ_ACCESS |
62 SAMR_ACCESS_ENUM_DOMAINS);
64 const int GENERIC_RIGHTS_SAM_WRITE =
65 (STANDARD_RIGHTS_WRITE_ACCESS |
66 SAMR_ACCESS_CREATE_DOMAIN |
67 SAMR_ACCESS_INITIALIZE_SERVER |
68 SAMR_ACCESS_SHUTDOWN_SERVER);
70 const int GENERIC_RIGHTS_SAM_EXECUTE =
71 (STANDARD_RIGHTS_EXECUTE_ACCESS |
72 SAMR_ACCESS_OPEN_DOMAIN |
73 SAMR_ACCESS_CONNECT_TO_SERVER);
75 /* User Object specific access rights */
77 typedef [bitmap32bit] bitmap {
78 SAMR_USER_ACCESS_GET_NAME_ETC = 0x00000001,
79 SAMR_USER_ACCESS_GET_LOCALE = 0x00000002,
80 SAMR_USER_ACCESS_SET_LOC_COM = 0x00000004,
81 SAMR_USER_ACCESS_GET_LOGONINFO = 0x00000008,
82 SAMR_USER_ACCESS_GET_ATTRIBUTES = 0x00000010,
83 SAMR_USER_ACCESS_SET_ATTRIBUTES = 0x00000020,
84 SAMR_USER_ACCESS_CHANGE_PASSWORD = 0x00000040,
85 SAMR_USER_ACCESS_SET_PASSWORD = 0x00000080,
86 SAMR_USER_ACCESS_GET_GROUPS = 0x00000100,
87 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP = 0x00000200,
88 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP = 0x00000400
89 } samr_UserAccessMask;
91 const int SAMR_USER_ACCESS_ALL_ACCESS = 0x000007FF;
93 const int GENERIC_RIGHTS_USER_ALL_ACCESS =
94 (STANDARD_RIGHTS_REQUIRED_ACCESS |
95 SAMR_USER_ACCESS_ALL_ACCESS); /* 0x000f07ff */
97 const int GENERIC_RIGHTS_USER_READ =
98 (STANDARD_RIGHTS_READ_ACCESS |
99 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP |
100 SAMR_USER_ACCESS_GET_GROUPS |
101 SAMR_USER_ACCESS_GET_ATTRIBUTES |
102 SAMR_USER_ACCESS_GET_LOGONINFO |
103 SAMR_USER_ACCESS_GET_LOCALE); /* 0x0002031a */
105 const int GENERIC_RIGHTS_USER_WRITE =
106 (STANDARD_RIGHTS_WRITE_ACCESS |
107 SAMR_USER_ACCESS_CHANGE_PASSWORD |
108 SAMR_USER_ACCESS_SET_LOC_COM |
109 SAMR_USER_ACCESS_SET_ATTRIBUTES |
110 SAMR_USER_ACCESS_SET_PASSWORD |
111 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP); /* 0x000204e4 */
113 const int GENERIC_RIGHTS_USER_EXECUTE =
114 (STANDARD_RIGHTS_EXECUTE_ACCESS |
115 SAMR_USER_ACCESS_CHANGE_PASSWORD |
116 SAMR_USER_ACCESS_GET_NAME_ETC); /* 0x00020041 */
118 typedef [bitmap32bit] bitmap {
119 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 = 0x00000001,
120 SAMR_DOMAIN_ACCESS_SET_INFO_1 = 0x00000002,
121 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 = 0x00000004,
122 SAMR_DOMAIN_ACCESS_SET_INFO_2 = 0x00000008,
123 SAMR_DOMAIN_ACCESS_CREATE_USER = 0x00000010,
124 SAMR_DOMAIN_ACCESS_CREATE_GROUP = 0x00000020,
125 SAMR_DOMAIN_ACCESS_CREATE_ALIAS = 0x00000040,
126 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS = 0x00000080,
127 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS = 0x00000100,
128 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT = 0x00000200,
129 SAMR_DOMAIN_ACCESS_SET_INFO_3 = 0x00000400
130 } samr_DomainAccessMask;
132 typedef [bitmap32bit] bitmap {
133 SAMR_GROUP_ACCESS_LOOKUP_INFO = 0x00000001,
134 SAMR_GROUP_ACCESS_SET_INFO = 0x00000002,
135 SAMR_GROUP_ACCESS_ADD_MEMBER = 0x00000004,
136 SAMR_GROUP_ACCESS_REMOVE_MEMBER = 0x00000008,
137 SAMR_GROUP_ACCESS_GET_MEMBERS = 0x00000010
138 } samr_GroupAccessMask;
140 typedef [bitmap32bit] bitmap {
141 SAMR_ALIAS_ACCESS_ADD_MEMBER = 0x00000001,
142 SAMR_ALIAS_ACCESS_REMOVE_MEMBER = 0x00000002,
143 SAMR_ALIAS_ACCESS_GET_MEMBERS = 0x00000004,
144 SAMR_ALIAS_ACCESS_LOOKUP_INFO = 0x00000008,
145 SAMR_ALIAS_ACCESS_SET_INFO = 0x00000010
146 } samr_AliasAccessMask;
150 NTSTATUS samr_Connect (
151 /* notice the lack of [string] */
152 [in,unique] uint16 *system_name,
153 [in] samr_ConnectAccessMask access_mask,
154 [out,ref] policy_handle *connect_handle
160 [public] NTSTATUS samr_Close (
161 [in,out,ref] policy_handle *handle
167 NTSTATUS samr_SetSecurity (
168 [in,ref] policy_handle *handle,
169 [in] security_secinfo sec_info,
170 [in,ref] sec_desc_buf *sdbuf
176 NTSTATUS samr_QuerySecurity (
177 [in,ref] policy_handle *handle,
178 [in] security_secinfo sec_info,
179 [out,ref] sec_desc_buf **sdbuf
186 shutdown the SAM - once you call this the SAM will be dead
188 NTSTATUS samr_Shutdown (
189 [in,ref] policy_handle *connect_handle
194 NTSTATUS samr_LookupDomain (
195 [in,ref] policy_handle *connect_handle,
196 [in,ref] lsa_String *domain_name,
197 [out,ref] dom_sid2 **sid
211 [size_is(count)] samr_SamEntry *entries;
214 NTSTATUS samr_EnumDomains (
215 [in] policy_handle *connect_handle,
216 [in,out,ref] uint32 *resume_handle,
217 [out,ref] samr_SamArray **sam,
218 [in] uint32 buf_size,
219 [out,ref] uint32 *num_entries
223 /************************/
225 [public] NTSTATUS samr_OpenDomain(
226 [in,ref] policy_handle *connect_handle,
227 [in] samr_DomainAccessMask access_mask,
228 [in,ref] dom_sid2 *sid,
229 [out,ref] policy_handle *domain_handle
232 /************************/
235 typedef [v1_enum] enum {
236 SAMR_ROLE_STANDALONE = 0,
237 SAMR_ROLE_DOMAIN_MEMBER = 1,
238 SAMR_ROLE_DOMAIN_BDC = 2,
239 SAMR_ROLE_DOMAIN_PDC = 3
242 /* password properties flags */
243 typedef [public,bitmap32bit] bitmap {
244 DOMAIN_PASSWORD_COMPLEX = 0x00000001,
245 DOMAIN_PASSWORD_NO_ANON_CHANGE = 0x00000002,
246 DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 0x00000004,
247 DOMAIN_PASSWORD_LOCKOUT_ADMINS = 0x00000008,
248 DOMAIN_PASSWORD_STORE_CLEARTEXT = 0x00000010,
249 DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020
250 } samr_PasswordProperties;
253 uint16 min_password_length;
254 uint16 password_history_length;
255 samr_PasswordProperties password_properties;
256 /* yes, these are signed. They are in negative 100ns */
257 dlong max_password_age;
258 dlong min_password_age;
262 NTTIME force_logoff_time;
263 lsa_String oem_information; /* comment */
264 lsa_String domain_name;
265 lsa_String primary; /* PDC name if this is a BDC */
273 } samr_DomGeneralInformation;
276 NTTIME force_logoff_time;
280 lsa_String oem_information; /* comment */
281 } samr_DomOEMInformation;
284 lsa_String domain_name;
297 NTTIME domain_create_time;
301 uint32 unknown; /* w2k3 returns 1 */
305 samr_DomGeneralInformation general;
306 hyper lockout_duration;
307 hyper lockout_window;
308 uint16 lockout_threshold;
309 } samr_DomGeneralInformation2;
312 hyper lockout_duration;
313 hyper lockout_window;
314 uint16 lockout_threshold;
319 NTTIME domain_create_time;
324 typedef [switch_type(uint16)] union {
325 [case(1)] samr_DomInfo1 info1;
326 [case(2)] samr_DomGeneralInformation general;
327 [case(3)] samr_DomInfo3 info3;
328 [case(4)] samr_DomOEMInformation oem;
329 [case(5)] samr_DomInfo5 info5;
330 [case(6)] samr_DomInfo6 info6;
331 [case(7)] samr_DomInfo7 info7;
332 [case(8)] samr_DomInfo8 info8;
333 [case(9)] samr_DomInfo9 info9;
334 [case(11)] samr_DomGeneralInformation2 general2;
335 [case(12)] samr_DomInfo12 info12;
336 [case(13)] samr_DomInfo13 info13;
339 NTSTATUS samr_QueryDomainInfo(
340 [in,ref] policy_handle *domain_handle,
342 [out,ref,switch_is(level)] samr_DomainInfo **info
345 /************************/
348 only levels 1, 3, 4, 6, 7, 9, 12 are valid for this
351 NTSTATUS samr_SetDomainInfo(
352 [in,ref] policy_handle *domain_handle,
354 [in,switch_is(level),ref] samr_DomainInfo *info
358 /************************/
360 NTSTATUS samr_CreateDomainGroup(
361 [in,ref] policy_handle *domain_handle,
362 [in,ref] lsa_String *name,
363 [in] samr_GroupAccessMask access_mask,
364 [out,ref] policy_handle *group_handle,
365 [out,ref] uint32 *rid
369 /************************/
372 const int MAX_SAM_ENTRIES_W2K = 0x400; /* 1024 */
373 const int MAX_SAM_ENTRIES_W95 = 50;
375 NTSTATUS samr_EnumDomainGroups(
376 [in] policy_handle *domain_handle,
377 [in,out,ref] uint32 *resume_handle,
378 [out,ref] samr_SamArray **sam,
379 [in] uint32 max_size,
380 [out,ref] uint32 *num_entries
383 /************************/
385 NTSTATUS samr_CreateUser(
386 [in,ref] policy_handle *domain_handle,
387 [in,ref] lsa_String *account_name,
388 [in] samr_UserAccessMask access_mask,
389 [out,ref] policy_handle *user_handle,
390 [out,ref] uint32 *rid
393 /************************/
397 /* w2k3 treats max_size as max_users*54 and sets the
398 resume_handle as the rid of the last user sent
400 const int SAMR_ENUM_USERS_MULTIPLIER = 54;
402 NTSTATUS samr_EnumDomainUsers(
403 [in] policy_handle *domain_handle,
404 [in,out,ref] uint32 *resume_handle,
405 [in] samr_AcctFlags acct_flags,
406 [out,ref] samr_SamArray **sam,
407 [in] uint32 max_size,
408 [out,ref] uint32 *num_entries
411 /************************/
413 NTSTATUS samr_CreateDomAlias(
414 [in,ref] policy_handle *domain_handle,
415 [in,ref] lsa_String *alias_name,
416 [in] samr_AliasAccessMask access_mask,
417 [out,ref] policy_handle *alias_handle,
418 [out,ref] uint32 *rid
421 /************************/
423 NTSTATUS samr_EnumDomainAliases(
424 [in] policy_handle *domain_handle,
425 [in,out,ref] uint32 *resume_handle,
426 [out,ref] samr_SamArray **sam,
427 [in] uint32 max_size,
428 [out,ref] uint32 *num_entries
431 /************************/
435 [range(0,1024)] uint32 count;
436 [size_is(count)] uint32 *ids;
439 NTSTATUS samr_GetAliasMembership(
440 [in,ref] policy_handle *domain_handle,
441 [in,ref] lsa_SidArray *sids,
442 [out,ref] samr_Ids *rids
445 /************************/
448 [public] NTSTATUS samr_LookupNames(
449 [in,ref] policy_handle *domain_handle,
450 [in,range(0,1000)] uint32 num_names,
451 [in,size_is(1000),length_is(num_names)] lsa_String names[],
452 [out,ref] samr_Ids *rids,
453 [out,ref] samr_Ids *types
457 /************************/
459 NTSTATUS samr_LookupRids(
460 [in,ref] policy_handle *domain_handle,
461 [in,range(0,1000)] uint32 num_rids,
462 [in,size_is(1000),length_is(num_rids)] uint32 rids[],
463 [out,ref] lsa_Strings *names,
464 [out,ref] samr_Ids *types
467 /************************/
469 NTSTATUS samr_OpenGroup(
470 [in,ref] policy_handle *domain_handle,
471 [in] samr_GroupAccessMask access_mask,
473 [out,ref] policy_handle *group_handle
476 /* Group attributes */
477 typedef [public,bitmap32bit] bitmap {
478 SE_GROUP_MANDATORY = 0x00000001,
479 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
480 SE_GROUP_ENABLED = 0x00000004,
481 SE_GROUP_OWNER = 0x00000008,
482 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
483 SE_GROUP_RESOURCE = 0x20000000,
484 SE_GROUP_LOGON_ID = 0xC0000000
487 /************************/
492 samr_GroupAttrs attributes;
494 lsa_String description;
498 samr_GroupAttrs attributes;
499 } samr_GroupInfoAttributes;
502 lsa_String description;
503 } samr_GroupInfoDescription;
508 GROUPINFOATTRIBUTES = 3,
509 GROUPINFODESCRIPTION = 4,
511 } samr_GroupInfoEnum;
513 typedef [switch_type(samr_GroupInfoEnum)] union {
514 [case(GROUPINFOALL)] samr_GroupInfoAll all;
515 [case(GROUPINFONAME)] lsa_String name;
516 [case(GROUPINFOATTRIBUTES)] samr_GroupInfoAttributes attributes;
517 [case(GROUPINFODESCRIPTION)] lsa_String description;
518 [case(GROUPINFOALL2)] samr_GroupInfoAll all2;
521 NTSTATUS samr_QueryGroupInfo(
522 [in,ref] policy_handle *group_handle,
523 [in] samr_GroupInfoEnum level,
524 [out,ref,switch_is(level)] samr_GroupInfo **info
527 /************************/
529 NTSTATUS samr_SetGroupInfo(
530 [in,ref] policy_handle *group_handle,
531 [in] samr_GroupInfoEnum level,
532 [in,switch_is(level),ref] samr_GroupInfo *info
535 /************************/
537 NTSTATUS samr_AddGroupMember(
538 [in,ref] policy_handle *group_handle,
543 /************************/
545 NTSTATUS samr_DeleteDomainGroup(
546 [in,out,ref] policy_handle *group_handle
549 /************************/
551 NTSTATUS samr_DeleteGroupMember(
552 [in,ref] policy_handle *group_handle,
557 /************************/
561 [size_is(count)] uint32 *rids;
562 [size_is(count)] uint32 *types;
565 NTSTATUS samr_QueryGroupMember(
566 [in,ref] policy_handle *group_handle,
567 [out,ref] samr_RidTypeArray **rids
571 /************************/
575 win2003 seems to accept any data at all for the two integers
576 below, and doesn't seem to do anything with them that I can
577 see. Weird. I really expected the first integer to be a rid
578 and the second to be the attributes for that rid member.
580 NTSTATUS samr_SetMemberAttributesOfGroup(
581 [in,ref] policy_handle *group_handle,
582 [in] uint32 unknown1,
587 /************************/
589 NTSTATUS samr_OpenAlias (
590 [in,ref] policy_handle *domain_handle,
591 [in] samr_AliasAccessMask access_mask,
593 [out,ref] policy_handle *alias_handle
597 /************************/
603 lsa_String description;
609 ALIASINFODESCRIPTION = 3
610 } samr_AliasInfoEnum;
612 typedef [switch_type(samr_AliasInfoEnum)] union {
613 [case(ALIASINFOALL)] samr_AliasInfoAll all;
614 [case(ALIASINFONAME)] lsa_String name;
615 [case(ALIASINFODESCRIPTION)] lsa_String description;
618 NTSTATUS samr_QueryAliasInfo(
619 [in,ref] policy_handle *alias_handle,
620 [in] samr_AliasInfoEnum level,
621 [out,ref,switch_is(level)] samr_AliasInfo **info
624 /************************/
626 NTSTATUS samr_SetAliasInfo(
627 [in,ref] policy_handle *alias_handle,
628 [in] samr_AliasInfoEnum level,
629 [in,switch_is(level),ref] samr_AliasInfo *info
632 /************************/
634 NTSTATUS samr_DeleteDomAlias(
635 [in,out,ref] policy_handle *alias_handle
638 /************************/
640 NTSTATUS samr_AddAliasMember(
641 [in,ref] policy_handle *alias_handle,
642 [in,ref] dom_sid2 *sid
645 /************************/
647 NTSTATUS samr_DeleteAliasMember(
648 [in,ref] policy_handle *alias_handle,
649 [in,ref] dom_sid2 *sid
652 /************************/
654 NTSTATUS samr_GetMembersInAlias(
655 [in,ref] policy_handle *alias_handle,
656 [out,ref] lsa_SidArray *sids
659 /************************/
661 [public] NTSTATUS samr_OpenUser(
662 [in,ref] policy_handle *domain_handle,
663 [in] samr_UserAccessMask access_mask,
665 [out,ref] policy_handle *user_handle
668 /************************/
670 NTSTATUS samr_DeleteUser(
671 [in,out,ref] policy_handle *user_handle
674 /************************/
677 lsa_String account_name;
678 lsa_String full_name;
680 lsa_String description;
686 lsa_String unknown; /* settable, but doesn't stick. probably obsolete */
691 /* this is also used in samr and netlogon */
692 typedef [public, flag(NDR_PAHEX)] struct {
693 uint16 units_per_week;
694 [size_is(1260), length_is(units_per_week/8)] uint8 *bits;
698 lsa_String account_name;
699 lsa_String full_name;
702 lsa_String home_directory;
703 lsa_String home_drive;
704 lsa_String logon_script;
705 lsa_String profile_path;
706 lsa_String workstations;
709 NTTIME last_password_change;
710 NTTIME allow_password_change;
711 NTTIME force_password_change;
712 samr_LogonHours logon_hours;
713 uint16 bad_password_count;
715 samr_AcctFlags acct_flags;
719 samr_LogonHours logon_hours;
723 lsa_String account_name;
724 lsa_String full_name;
727 lsa_String home_directory;
728 lsa_String home_drive;
729 lsa_String logon_script;
730 lsa_String profile_path;
731 lsa_String description;
732 lsa_String workstations;
735 samr_LogonHours logon_hours;
736 uint16 bad_password_count;
738 NTTIME last_password_change;
740 samr_AcctFlags acct_flags;
744 lsa_String account_name;
745 lsa_String full_name;
749 lsa_String account_name;
753 lsa_String full_name;
761 lsa_String home_directory;
762 lsa_String home_drive;
766 lsa_String logon_script;
770 lsa_String profile_path;
774 lsa_String description;
778 lsa_String workstations;
782 samr_AcctFlags acct_flags;
789 typedef [public, flag(NDR_PAHEX)] struct {
794 samr_Password lm_pwd;
795 samr_Password nt_pwd;
796 boolean8 lm_pwd_active;
797 boolean8 nt_pwd_active;
801 lsa_BinaryString parameters;
804 /* this defines the bits used for fields_present in info21 */
805 typedef [bitmap32bit] bitmap {
806 SAMR_FIELD_ACCOUNT_NAME = 0x00000001,
807 SAMR_FIELD_FULL_NAME = 0x00000002,
808 SAMR_FIELD_RID = 0x00000004,
809 SAMR_FIELD_PRIMARY_GID = 0x00000008,
810 SAMR_FIELD_DESCRIPTION = 0x00000010,
811 SAMR_FIELD_COMMENT = 0x00000020,
812 SAMR_FIELD_HOME_DIRECTORY = 0x00000040,
813 SAMR_FIELD_HOME_DRIVE = 0x00000080,
814 SAMR_FIELD_LOGON_SCRIPT = 0x00000100,
815 SAMR_FIELD_PROFILE_PATH = 0x00000200,
816 SAMR_FIELD_WORKSTATIONS = 0x00000400,
817 SAMR_FIELD_LAST_LOGON = 0x00000800,
818 SAMR_FIELD_LAST_LOGOFF = 0x00001000,
819 SAMR_FIELD_LOGON_HOURS = 0x00002000,
820 SAMR_FIELD_BAD_PWD_COUNT = 0x00004000,
821 SAMR_FIELD_NUM_LOGONS = 0x00008000,
822 SAMR_FIELD_ALLOW_PWD_CHANGE = 0x00010000,
823 SAMR_FIELD_FORCE_PWD_CHANGE = 0x00020000,
824 SAMR_FIELD_LAST_PWD_CHANGE = 0x00040000,
825 SAMR_FIELD_ACCT_EXPIRY = 0x00080000,
826 SAMR_FIELD_ACCT_FLAGS = 0x00100000,
827 SAMR_FIELD_PARAMETERS = 0x00200000,
828 SAMR_FIELD_COUNTRY_CODE = 0x00400000,
829 SAMR_FIELD_CODE_PAGE = 0x00800000,
830 SAMR_FIELD_PASSWORD = 0x01000000, /* either of these */
831 SAMR_FIELD_PASSWORD2 = 0x02000000, /* two bits seems to work */
832 SAMR_FIELD_PRIVATE_DATA = 0x04000000,
833 SAMR_FIELD_EXPIRED_FLAG = 0x08000000,
834 SAMR_FIELD_SEC_DESC = 0x10000000,
835 SAMR_FIELD_OWF_PWD = 0x20000000
836 } samr_FieldsPresent;
838 /* used for 'password_expired' in samr_UserInfo21 */
839 const int PASS_MUST_CHANGE_AT_NEXT_LOGON = 0x01;
840 const int PASS_DONT_CHANGE_AT_NEXT_LOGON = 0x00;
845 NTTIME last_password_change;
847 NTTIME allow_password_change;
848 NTTIME force_password_change;
849 lsa_String account_name;
850 lsa_String full_name;
851 lsa_String home_directory;
852 lsa_String home_drive;
853 lsa_String logon_script;
854 lsa_String profile_path;
855 lsa_String description;
856 lsa_String workstations;
858 lsa_BinaryString parameters;
863 [size_is(buf_count)] uint8 *buffer;
866 samr_AcctFlags acct_flags;
867 samr_FieldsPresent fields_present;
868 samr_LogonHours logon_hours;
869 uint16 bad_password_count;
873 uint8 nt_password_set;
874 uint8 lm_password_set;
875 uint8 password_expired;
879 typedef [public, flag(NDR_PAHEX)] struct {
881 } samr_CryptPassword;
884 samr_UserInfo21 info;
885 samr_CryptPassword password;
889 samr_CryptPassword password;
893 typedef [flag(NDR_PAHEX)] struct {
895 } samr_CryptPasswordEx;
898 samr_UserInfo21 info;
899 samr_CryptPasswordEx password;
903 samr_CryptPasswordEx password;
907 typedef [switch_type(uint16)] union {
908 [case(1)] samr_UserInfo1 info1;
909 [case(2)] samr_UserInfo2 info2;
910 [case(3)] samr_UserInfo3 info3;
911 [case(4)] samr_UserInfo4 info4;
912 [case(5)] samr_UserInfo5 info5;
913 [case(6)] samr_UserInfo6 info6;
914 [case(7)] samr_UserInfo7 info7;
915 [case(8)] samr_UserInfo8 info8;
916 [case(9)] samr_UserInfo9 info9;
917 [case(10)] samr_UserInfo10 info10;
918 [case(11)] samr_UserInfo11 info11;
919 [case(12)] samr_UserInfo12 info12;
920 [case(13)] samr_UserInfo13 info13;
921 [case(14)] samr_UserInfo14 info14;
922 [case(16)] samr_UserInfo16 info16;
923 [case(17)] samr_UserInfo17 info17;
924 [case(18)] samr_UserInfo18 info18;
925 [case(20)] samr_UserInfo20 info20;
926 [case(21)] samr_UserInfo21 info21;
927 [case(23)] samr_UserInfo23 info23;
928 [case(24)] samr_UserInfo24 info24;
929 [case(25)] samr_UserInfo25 info25;
930 [case(26)] samr_UserInfo26 info26;
933 [public] NTSTATUS samr_QueryUserInfo(
934 [in,ref] policy_handle *user_handle,
936 [out,ref,switch_is(level)] samr_UserInfo **info
940 /************************/
942 [public] NTSTATUS samr_SetUserInfo(
943 [in,ref] policy_handle *user_handle,
945 [in,ref,switch_is(level)] samr_UserInfo *info
948 /************************/
951 this is a password change interface that doesn't give
952 the server the plaintext password. Depricated.
954 NTSTATUS samr_ChangePasswordUser(
955 [in,ref] policy_handle *user_handle,
956 [in] boolean8 lm_present,
957 [in,unique] samr_Password *old_lm_crypted,
958 [in,unique] samr_Password *new_lm_crypted,
959 [in] boolean8 nt_present,
960 [in,unique] samr_Password *old_nt_crypted,
961 [in,unique] samr_Password *new_nt_crypted,
962 [in] boolean8 cross1_present,
963 [in,unique] samr_Password *nt_cross,
964 [in] boolean8 cross2_present,
965 [in,unique] samr_Password *lm_cross
968 /************************/
971 typedef [public] struct {
973 samr_GroupAttrs attributes;
974 } samr_RidWithAttribute;
976 typedef [public] struct {
978 [size_is(count)] samr_RidWithAttribute *rids;
979 } samr_RidWithAttributeArray;
981 NTSTATUS samr_GetGroupsForUser(
982 [in,ref] policy_handle *user_handle,
983 [out,ref] samr_RidWithAttributeArray **rids
986 /************************/
992 samr_AcctFlags acct_flags;
993 lsa_String account_name;
994 lsa_String description;
995 lsa_String full_name;
996 } samr_DispEntryGeneral;
1000 [size_is(count)] samr_DispEntryGeneral *entries;
1001 } samr_DispInfoGeneral;
1006 samr_AcctFlags acct_flags;
1007 lsa_String account_name;
1008 lsa_String description;
1009 } samr_DispEntryFull;
1013 [size_is(count)] samr_DispEntryFull *entries;
1014 } samr_DispInfoFull;
1019 samr_GroupAttrs acct_flags;
1020 lsa_String account_name;
1021 lsa_String description;
1022 } samr_DispEntryFullGroup;
1026 [size_is(count)] samr_DispEntryFullGroup *entries;
1027 } samr_DispInfoFullGroups;
1031 lsa_AsciiStringLarge account_name;
1032 } samr_DispEntryAscii;
1036 [size_is(count)] samr_DispEntryAscii *entries;
1037 } samr_DispInfoAscii;
1039 typedef [switch_type(uint16)] union {
1040 [case(1)] samr_DispInfoGeneral info1;/* users */
1041 [case(2)] samr_DispInfoFull info2; /* trust accounts? */
1042 [case(3)] samr_DispInfoFullGroups info3; /* groups */
1043 [case(4)] samr_DispInfoAscii info4; /* users */
1044 [case(5)] samr_DispInfoAscii info5; /* groups */
1047 NTSTATUS samr_QueryDisplayInfo(
1048 [in,ref] policy_handle *domain_handle,
1050 [in] uint32 start_idx,
1051 [in] uint32 max_entries,
1052 [in] uint32 buf_size,
1053 [out,ref] uint32 *total_size,
1054 [out,ref] uint32 *returned_size,
1055 [out,ref,switch_is(level)] samr_DispInfo *info
1059 /************************/
1063 this seems to be an alphabetic search function. The returned index
1064 is the index for samr_QueryDisplayInfo needed to get names occurring
1065 after the specified name. The supplied name does not need to exist
1066 in the database (for example you can supply just a first letter for
1067 searching starting at that letter)
1069 The level corresponds to the samr_QueryDisplayInfo level
1071 NTSTATUS samr_GetDisplayEnumerationIndex(
1072 [in,ref] policy_handle *domain_handle,
1074 [in,ref] lsa_String *name,
1075 [out,ref] uint32 *idx
1080 /************************/
1084 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1086 NTSTATUS samr_TestPrivateFunctionsDomain(
1087 [in,ref] policy_handle *domain_handle
1091 /************************/
1095 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1097 NTSTATUS samr_TestPrivateFunctionsUser(
1098 [in,ref] policy_handle *user_handle
1102 /************************/
1106 uint16 min_password_length;
1107 samr_PasswordProperties password_properties;
1110 [public] NTSTATUS samr_GetUserPwInfo(
1111 [in,ref] policy_handle *user_handle,
1112 [out,ref] samr_PwInfo *info
1115 /************************/
1117 NTSTATUS samr_RemoveMemberFromForeignDomain(
1118 [in,ref] policy_handle *domain_handle,
1119 [in,ref] dom_sid2 *sid
1122 /************************/
1126 how is this different from QueryDomainInfo ??
1128 NTSTATUS samr_QueryDomainInfo2(
1129 [in,ref] policy_handle *domain_handle,
1131 [out,ref,switch_is(level)] samr_DomainInfo **info
1134 /************************/
1138 how is this different from QueryUserInfo ??
1140 NTSTATUS samr_QueryUserInfo2(
1141 [in,ref] policy_handle *user_handle,
1143 [out,ref,switch_is(level)] samr_UserInfo *info
1146 /************************/
1150 how is this different from QueryDisplayInfo??
1152 NTSTATUS samr_QueryDisplayInfo2(
1153 [in,ref] policy_handle *domain_handle,
1155 [in] uint32 start_idx,
1156 [in] uint32 max_entries,
1157 [in] uint32 buf_size,
1158 [out,ref] uint32 *total_size,
1159 [out,ref] uint32 *returned_size,
1160 [out,ref,switch_is(level)] samr_DispInfo *info
1163 /************************/
1167 how is this different from GetDisplayEnumerationIndex ??
1169 NTSTATUS samr_GetDisplayEnumerationIndex2(
1170 [in,ref] policy_handle *domain_handle,
1172 [in,ref] lsa_String *name,
1173 [out,ref] uint32 *idx
1177 /************************/
1179 NTSTATUS samr_CreateUser2(
1180 [in,ref] policy_handle *domain_handle,
1181 [in,ref] lsa_String *account_name,
1182 [in] samr_AcctFlags acct_flags,
1183 [in] samr_UserAccessMask access_mask,
1184 [out,ref] policy_handle *user_handle,
1185 [out,ref] uint32 *access_granted,
1186 [out,ref] uint32 *rid
1190 /************************/
1194 another duplicate. There must be a reason ....
1196 NTSTATUS samr_QueryDisplayInfo3(
1197 [in,ref] policy_handle *domain_handle,
1199 [in] uint32 start_idx,
1200 [in] uint32 max_entries,
1201 [in] uint32 buf_size,
1202 [out,ref] uint32 *total_size,
1203 [out,ref] uint32 *returned_size,
1204 [out,ref,switch_is(level)] samr_DispInfo *info
1207 /************************/
1209 NTSTATUS samr_AddMultipleMembersToAlias(
1210 [in,ref] policy_handle *alias_handle,
1211 [in,ref] lsa_SidArray *sids
1214 /************************/
1216 NTSTATUS samr_RemoveMultipleMembersFromAlias(
1217 [in,ref] policy_handle *alias_handle,
1218 [in,ref] lsa_SidArray *sids
1221 /************************/
1224 NTSTATUS samr_OemChangePasswordUser2(
1225 [in,unique] lsa_AsciiString *server,
1226 [in,ref] lsa_AsciiString *account,
1227 [in,unique] samr_CryptPassword *password,
1228 [in,unique] samr_Password *hash
1231 /************************/
1233 NTSTATUS samr_ChangePasswordUser2(
1234 [in,unique] lsa_String *server,
1235 [in,ref] lsa_String *account,
1236 [in,unique] samr_CryptPassword *nt_password,
1237 [in,unique] samr_Password *nt_verifier,
1238 [in] boolean8 lm_change,
1239 [in,unique] samr_CryptPassword *lm_password,
1240 [in,unique] samr_Password *lm_verifier
1243 /************************/
1245 NTSTATUS samr_GetDomPwInfo(
1246 [in,unique] lsa_String *domain_name,
1247 [out,ref] samr_PwInfo *info
1250 /************************/
1252 NTSTATUS samr_Connect2(
1253 [in,unique,string,charset(UTF16)] uint16 *system_name,
1254 [in] samr_ConnectAccessMask access_mask,
1255 [out,ref] policy_handle *connect_handle
1258 /************************/
1261 seems to be an exact alias for samr_SetUserInfo()
1263 [public] NTSTATUS samr_SetUserInfo2(
1264 [in,ref] policy_handle *user_handle,
1266 [in,ref,switch_is(level)] samr_UserInfo *info
1269 /************************/
1272 this one is mysterious. I have a few guesses, but nothing working yet
1274 NTSTATUS samr_SetBootKeyInformation(
1275 [in,ref] policy_handle *connect_handle,
1276 [in] uint32 unknown1,
1277 [in] uint32 unknown2,
1278 [in] uint32 unknown3
1281 /************************/
1283 NTSTATUS samr_GetBootKeyInformation(
1284 [in,ref] policy_handle *domain_handle,
1285 [out,ref] uint32 *unknown
1288 /************************/
1290 NTSTATUS samr_Connect3(
1291 [in,unique,string,charset(UTF16)] uint16 *system_name,
1292 /* this unknown value seems to be completely ignored by w2k3 */
1293 [in] uint32 unknown,
1294 [in] samr_ConnectAccessMask access_mask,
1295 [out,ref] policy_handle *connect_handle
1298 /************************/
1302 SAMR_CONNECT_PRE_W2K = 1,
1303 SAMR_CONNECT_W2K = 2,
1304 SAMR_CONNECT_AFTER_W2K = 3
1305 } samr_ConnectVersion;
1307 NTSTATUS samr_Connect4(
1308 [in,unique,string,charset(UTF16)] uint16 *system_name,
1309 [in] samr_ConnectVersion client_version,
1310 [in] samr_ConnectAccessMask access_mask,
1311 [out,ref] policy_handle *connect_handle
1314 /************************/
1317 typedef enum samr_RejectReason samr_RejectReason;
1320 samr_RejectReason reason;
1323 } samr_ChangeReject;
1325 NTSTATUS samr_ChangePasswordUser3(
1326 [in,unique] lsa_String *server,
1327 [in,ref] lsa_String *account,
1328 [in,unique] samr_CryptPassword *nt_password,
1329 [in,unique] samr_Password *nt_verifier,
1330 [in] boolean8 lm_change,
1331 [in,unique] samr_CryptPassword *lm_password,
1332 [in,unique] samr_Password *lm_verifier,
1333 [in,unique] samr_CryptPassword *password3,
1334 [out,ref] samr_DomInfo1 **dominfo,
1335 [out,ref] samr_ChangeReject **reject
1338 /************************/
1342 samr_ConnectVersion client_version; /* w2k3 gives 3 */
1343 uint32 unknown2; /* w2k3 gives 0 */
1344 } samr_ConnectInfo1;
1347 [case(1)] samr_ConnectInfo1 info1;
1350 [public] NTSTATUS samr_Connect5(
1351 [in,unique,string,charset(UTF16)] uint16 *system_name,
1352 [in] samr_ConnectAccessMask access_mask,
1353 [in] uint32 level_in,
1354 [in,ref,switch_is(level_in)] samr_ConnectInfo *info_in,
1355 [out,ref] uint32 *level_out,
1356 [out,ref,switch_is(*level_out)] samr_ConnectInfo *info_out,
1357 [out,ref] policy_handle *connect_handle
1360 /************************/
1362 NTSTATUS samr_RidToSid(
1363 [in,ref] policy_handle *domain_handle,
1365 [out,ref] dom_sid2 *sid
1369 /************************/
1373 this should set the DSRM password for the server, which is used
1374 when booting into Directory Services Recovery Mode on a DC. Win2003
1375 gives me NT_STATUS_NOT_SUPPORTED
1378 NTSTATUS samr_SetDsrmPassword(
1379 [in,unique] lsa_String *name,
1380 [in] uint32 unknown,
1381 [in,unique] samr_Password *hash
1385 /************************/
1387 /************************/
1388 typedef [bitmap32bit] bitmap {
1389 SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET = 0x00000001,
1390 SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME = 0x00000002,
1391 SAMR_VALIDATE_FIELD_LOCKOUT_TIME = 0x00000004,
1392 SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT = 0x00000008,
1393 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH = 0x00000010,
1394 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY = 0x00000020
1395 } samr_ValidateFieldsPresent;
1398 NetValidateAuthentication = 1,
1399 NetValidatePasswordChange= 2,
1400 NetValidatePasswordReset = 3
1401 } samr_ValidatePasswordLevel;
1403 /* NetApi maps samr_ValidationStatus errors to WERRORs. Haven't
1404 * identified the mapping of
1405 * - NERR_PasswordFilterError
1406 * - NERR_PasswordExpired and
1407 * - NERR_PasswordCantChange
1412 SAMR_VALIDATION_STATUS_SUCCESS = 0,
1413 SAMR_VALIDATION_STATUS_PASSWORD_MUST_CHANGE = 1,
1414 SAMR_VALIDATION_STATUS_ACCOUNT_LOCKED_OUT = 2,
1415 SAMR_VALIDATION_STATUS_BAD_PASSWORD = 4,
1416 SAMR_VALIDATION_STATUS_PWD_HISTORY_CONFLICT = 5,
1417 SAMR_VALIDATION_STATUS_PWD_TOO_SHORT = 6,
1418 SAMR_VALIDATION_STATUS_PWD_TOO_LONG = 7,
1419 SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH = 8,
1420 SAMR_VALIDATION_STATUS_PASSWORD_TOO_RECENT = 9
1421 } samr_ValidationStatus;
1425 [size_is(length)] uint8 *data;
1426 } samr_ValidationBlob;
1429 samr_ValidateFieldsPresent fields_present;
1430 NTTIME_hyper last_password_change;
1431 NTTIME_hyper bad_password_time;
1432 NTTIME_hyper lockout_time;
1433 uint32 bad_pwd_count;
1434 uint32 pwd_history_len;
1435 [size_is(pwd_history_len)] samr_ValidationBlob *pwd_history;
1436 } samr_ValidatePasswordInfo;
1439 samr_ValidatePasswordInfo info;
1440 samr_ValidationStatus status;
1441 } samr_ValidatePasswordRepCtr;
1443 typedef [switch_type(uint16)] union {
1444 [case(1)] samr_ValidatePasswordRepCtr ctr1;
1445 [case(2)] samr_ValidatePasswordRepCtr ctr2;
1446 [case(3)] samr_ValidatePasswordRepCtr ctr3;
1447 } samr_ValidatePasswordRep;
1450 samr_ValidatePasswordInfo info;
1451 lsa_StringLarge password;
1452 lsa_StringLarge account;
1453 samr_ValidationBlob hash;
1454 boolean8 pwd_must_change_at_next_logon;
1455 boolean8 clear_lockout;
1456 } samr_ValidatePasswordReq3;
1459 samr_ValidatePasswordInfo info;
1460 lsa_StringLarge password;
1461 lsa_StringLarge account;
1462 samr_ValidationBlob hash;
1463 boolean8 password_matched;
1464 } samr_ValidatePasswordReq2;
1467 samr_ValidatePasswordInfo info;
1468 boolean8 password_matched;
1469 } samr_ValidatePasswordReq1;
1471 typedef [switch_type(uint16)] union {
1472 [case(1)] samr_ValidatePasswordReq1 req1;
1473 [case(2)] samr_ValidatePasswordReq2 req2;
1474 [case(3)] samr_ValidatePasswordReq3 req3;
1475 } samr_ValidatePasswordReq;
1477 NTSTATUS samr_ValidatePassword(
1478 [in] samr_ValidatePasswordLevel level,
1479 [in,switch_is(level)] samr_ValidatePasswordReq req,
1480 [out,ref,switch_is(level)] samr_ValidatePasswordRep *rep